tag:kafsemo.org,2003:feedKafsemo.org“Looking back, I had no idea that thing was being televised.”Joseph Walton/k-logo-small.png2015-01-30T08:07:04+00:00http://www.kafsemo.org/2015/01/08_talking-HTTP-2.html2015-01-08T12:06:46+00:00Talking HTTP/22015-01-08T00:00:00Z

HTTP/2 is very different from the established, textual HTTP/1.1,
and may not even be supported by the server we’re talking to. If we
started with an HTTP/1.1 connection,
switching protocols is exactly what the
Upgrade header
has been waiting around for since it was
introduced in 1997.
As per
HTTP/2 Version Identification,
we want to upgrade to h2c-<draft>,
or h2-<draft> over TLS. Use of these, rather than the expected
(and planned)
‘HTTP/2’ is
controversial
but part of the standard.

There’s one extra mandatory header (HTTP2-Options) but, from the
description in draft 14,
an empty header is a valid way to use defaults.

The nghttp2 project has made a server available
that understands draft 14 and an Upgrade from HTTP/1.1, on port 80 of
nghttp2.org.

Response

HTTP/1.1 200 OK

They’re not rejecting a valid request, like Google, but they’re not upgrading
to HTTP/2 either.

NPN, ALPN

Although the Upgrade: header can be used to upgrade an HTTP/1.1
connection to HTTP/2, that’s not universally supported by browsers
and servers that have decided not to support HTTP/2 over non-TLS connections.

The headers are encoded using HPACK, a parallel specification to HTTP/2. It describes an elaborate system of default header values and stateful
compression that make it extremely efficient to send
very common headers,
and repeated headers, along with Huffman encoding for the values.

Inamidst the SSL debugging output and plaintext payload we see what we
were after: a fully HTTP/2 response to our HTTP/2 request.

An HTTP/2 response

But sending requests is only half of the web. We want to make sense of
what’s being sent back.

It’s not quite a reference implementation, but here’s enough Python
to decode frame boundaries. We’ll also go a bit further and show
the connection settings that the server wants to use (see
Defined SETTINGS parameters for meanings).

There are a few things to notice here. SETTINGS_INITIAL_WINDOW_SIZE
is being set to 65536, which is already the default. Then, the headers
(Type: 4). Twitter aren’t using the same lazy hack I did, so you’d
need a proper HPACK decoder to make
sense of them. Then, a number of DATA frames ending with
one with END_STREAM set.

In summary

You can’t talk HTTP/2 by typing and, despite a relatively simple spec,
it’s not a weekend hack anymore. Just as you wouldn’t write your
own SSL implementation, rolling your own HPACK and HTTP/2 implementations
is not really feasible.

In a sense that’s good — widely-used libraries tend to be higher
quality. On the downside, anything that increases the barrier
to entry can easily reduce diversity.

Far more than HTTP/1.1, HTTP/2 feels specialised. If you’re
a large company
operating modern web applications for customers on up-to-date
browsers, with latency being worth complexity and engineer
effort, it’s a win. If you’re after a generic, extensible
model with all optimisations left to the appropriate layers in the stack,
maybe less so. It’s one of the most notable layering violations
since ZFS.

As an engineering effort, it’s ingenious and opinionated.
Many people vocally and articulately object to it,
on both technical and political grounds.
Debate and merits
aside, I expect it to improve the browsing experience for the majority
of users out there: that’s a good thing, even if it’s not
another twenty-year protocol.

Most protocols have libraries and tools available to abstract away the
underlying communications.
However, if you’re a full-stack developer, you’ll have used
telnet to talk a protocol directly, and it’s very likely to have
been HTTP. It’s a textual request/response protocol. telnet to
port 80:

$ telnet www.apache.org 80

Wait for a connection:

Trying 54.172.167.43...
Connected to www.apache.org.
Escape character is '^]'.

Then type the request and wait for a response and for the server
to close the socket:

HTTP/2

That’s dangerously close to being the current version of arguably the most
important protocol on the Internet. Even if I’m going to be using it
through libraries and browsers, I should at least know how to craft
a basic request and parse a response.

HTTP/2 is no longer textual: it’s a binary protocol.
After looking at the spec (draft 16)
it took me way longer than those examples to get something
that would talk HTTP/2, so that’s
a separate post.

I Monster, “Lust for a Vampyr”http://www.kafsemo.org/cgi-bin/meta.cgi/2015/01/03_talking-HTTP-0.htmlhttp://www.kafsemo.org/2015/01/01_please-check-TLS-hostnames.html2015-01-01T13:58:21+00:00Please check TLS hostnames2015-01-01T00:00:00Z

I need a quick script to check a mailbox. My go-to
language is Python,
and its batteries-included philosophy means I go straight to
imaplib:

Before I send my username and password over this connection,
I know I have a secure connection
I know that I requested a connection to
imap.gmail.com and I can also see that I haven’t tampered with any
crypto defaults I don’t understand. Ready?

If your intention is to provide a library or service, make it secure by
default. Your users may not thank you when things break, but it’s
the responsible choice.

Cracker, “El Cerrito”http://www.kafsemo.org/cgi-bin/meta.cgi/2015/01/01_please-check-TLS-hostnames.htmlhttp://wondermark.com/1k97/Link: Wondermark » Archive » #1097; Always Right has Never Left2015-01-30T08:06:05Z“My way of thinking is much simpler.”http://www.snee.com/bobdc.blog/2015/01/r-and-sparql-part-2.htmlLink: R (and SPARQL), part 2 - bobdc.blog2015-01-21T10:37:56Z“to find out how closely the number of employees in the companies making up the Dow Jones Industrial Average correlated with the net income”http://gilesbowkett.blogspot.com.au/2015/01/versioning-is-nuanced-social-fiction.html?m=1Link: Giles Bowkett: Versioning Is A Nuanced Social Fiction; SemVer Is A Blunt Instrument2015-01-07T12:17:27ZVersioning Is A Nuanced Social Fiction; SemVer Is A Blunt Instrumenthttp://psy-lob-saw.blogspot.com/2014/10/celebrating-2-years-of-blogging.htmlLink: Psychosomatic, Lobotomy, Saw: Celebrating 2 years of blogging!2014-10-28T09:30:00Z“just the sort of excuse I needed to dig deeper into corners of Java and concurrency I find exciting”http://www.viruscomix.com/page582.htmlLink: photo2013-09-04T10:45:59Z“Hi. So this place can’t be for real, can it..?”http://www.jwz.org/blog/2013/05/i-resemble-this-remark/Link: jwz: I resemble this remark2013-05-14T11:33:33ZOde to a Shipping Label